CompTIA Security+ SY0-601 (Section 5.0 Governance, Risk and Compliance)
Business Impact Analysis - Site risk assessment
• All locations are a bit different - Even those designed to be similar • Recovery plans should consider unique environments - Applications - Personnel - Equipment - Work environment
Credential Policies - Credential management
• All that stands between the outside world and all of the data - The data is everything • Passwords must not be embedded in the application - Everything needs to reside on the server, not the client • Communication across the network should be encrypted - Authentication traffic should be impossible to see
Data Roles and Responsibilities - Data responsibility
• High-level data relationships - Organizational responsibilities, not always technical • Data owner - Accountable for specific data, often a senior officer - VP of Sales owns the customer relationship data - Treasurer owns the financial information
Organizational Policies - Change management
• How to make a change - Upgrade software, change firewall configuration, modify switch ports • One of the most common risks in the enterprise - Occurs very frequently • Often overlooked or ignored - Did you feel that bite? • Have clear policies - Frequency, duration, installation process, fallback procedures • Sometimes extremely difficult to implement - It's hard to change corporate culture
Security Regulations and Standards - PCI DSS
• Payment Card Industry - Data Security Standard (PCI DSS) - A standard for protecting credit cards • Six control objectives - Build and maintain a secure network and systems - Protect cardholder data - Maintain a vulnerability management program - Implement strong access control measures - Regularly monitor and test networks - Maintain an information security policy
Secure Configurations - Application server
• Programming languages, runtime libraries, etc. - Usually between the web server and the database - Middleware • Very specific functionality - Disable all unnecessary services • Operating system updates - Security patches • File permissions and access controls - Limit rights to what's required - Limit access from other devices
Personnel Security - Least privilege
• Rights and permissions should be set to the bare minimum - You only get exactly what's needed to complete your objective • All user accounts must be limited - Applications should run with minimal privileges • Don't allow users to run with administrative privileges - Limits the scope of malicious behavior
Risk Analysis - Risk control assessment
• Risk has been determined - Heat maps have been created • Time to build cybersecurity requirements - Based on the identified risks • Find the gap - Often requires a formal audit - Self-assessments may be an option • Build and maintain security systems based on the requirements - The organizational risk determines the proper controls • Determine if existing controls are compliant or noncompliant - Make plans to bring everything into compliance
Secure Configurations - Network infrastructure devices
• Switches, routers, firewalls, IPS, etc. - You never see them, but they're always there • Purpose-built devices - Embedded OS, limited OS access • Configure authentication - Don't use the defaults • Check with the manufacturer - Security updates - Not usually updated frequently - Updates are usually important
Privacy and Data Breaches - Notices
• Terms of service - Terms of use, terms and conditions (T&C) - Legal agreement between service provider and user - User must agree to the terms to use the service • Privacy notice, privacy policy - May be required by law - Documents the handling of personal data - May provide additional data options and contact information
Security Frameworks - SSAE SOC 2 Type I/II
• The American Institute of Certified Public Accountants (AICPA) auditing standard Statement on Standards for Attestation Engagements number 18 (SSAE 18) • SOC 2 - Trust Services Criteria (security controls) - Firewalls, intrusion detection, and multi-factor authentication • Type I audit - Tests controls in place at a particular point in time • Type II - Tests controls over a period of at least six consecutive months
Third-party Risk Management - Supply chain
• The system involved when creating a product - Involves organizations, people, activities, and resources • Supply chain assessment - Get a product or service from supplier to customer - Evaluate coordination between groups - Identify areas of improvement - Assess the IT systems supporting the operation - Document the business process changes • New laptops arrive with bundled malware - Lenovo, August 2014 through early 2015 - Superfish software added a self-signed root cert (!) - Allowed for on-path attacks when browsing any site, including over HTTPS
Risk Analysis - Risk awareness
• A constantly changing battlefield - New risks, emerging risks - A nearly overwhelming amount of information - Difficult to manage a defense • Knowledge is key - Part of every employee's daily job role - Part of the onboarding process for employees and partners • Maintaining awareness - Ongoing group discussions - Presentations from law enforcement - Attend security conferences and programs
Organizational Policies - Change control
• A formal process for managing change - Avoid downtime, confusion, and mistakes • Nothing changes without the process - Determine the scope of the change - Analyze the risk associated with the change - Create a plan - Get end-user approval - Present the proposal to the change control board - Have a backout plan if the change doesn't work - Document the changes
Business Impact Analysis - Removing single points of failure
• A single event can ruin your day - Unless you make some plans • Network configuration - Multiple devices (the "Noah's Ark" of networking) • Facility / Utilities - Backup power, multiple cooling devices • People / Location - A good hurricane can disrupt personnel travel • There's no practical way to remove all points of failure - Money drives redundancy
Risk Management Types - Risk management strategies
• Acceptance - A business decision; we'll take the risk! • Risk-avoidance - Stop participating in a high-risk activity • Transference - Buy some cybersecurity insurance • Mitigation - Decrease the risk level - Invest in security systems
Secure Configurations - Web server hardening
• Access a server with your browser - The fundamental server on the Internet - Microsoft Internet Information Server, Apache HTTP Server, et al. • Huge potential for access issues - Data leaks, server access • Secure configuration - Information leakage: Banner information, directory browsing - Permissions: Run from a non-privileged account, configure file permissions - Configure SSL: Manage and install certificates - Log files: Monitor access and error logs
Credential Policies - Device accounts
• Access to devices - Mobile devices • Local security - Device certificate - Require screen locks and unlocking standards - Manage through a Mobile Device Manager (MDM) • Add additional security - Geography-based - Include additional authentication factors - Associate a device with a user
Credential Policies - Third-party accounts
• Access to external third-party systems - Cloud platforms for payroll, enterprise resource planning, etc. • Third-party access to corporate systems - Access can come from anywhere • Add additional layers of security - 2FA (two factor authentication) - Audit the security posture of third-parties • Don't allow account sharing - All users should have their own account
Personnel Security - Off-boarding
• All good things... (But you knew this day would come) • This process should be pre-planned - You don't want to decide how to do things at this point • What happens to the hardware and the data? • Account information is usually deactivated - But not always deleted
Privacy and Data Breaches - Privacy impact assessment (PIA)
• Almost everything can affect privacy - New business relationships, product updates, website features, service offering • Privacy risk needs to be identified in each initiative - How could the process compromise customer privacy? • Advantages - Fix privacy issues before they become a problem - Provides evidence of a focus on privacy - Avoid data breach - Shows the importance of privacy to everyone
Credential Policies - Personnel accounts
• An account on a computer associated with a specific person - The computer associates the user with a specific identification number • Storage and files can be private to that user - Even if another person is using the same computer • No privileged access to the operating system - Specifically not allowed on a user account • This is the account type most people will use - Your user community
Personnel Security - Background checks
• Background checks - Pre-employment screening - Verify the applicant's claims - Discover criminal history, workers compensation claims, etc. - Legalities vary by country • Adverse actions - An action that denies employment based on the background check - May require extensive documentation - Can also include existing employees
Personnel Security - Role-based security awareness training
• Before providing access, train your users - Detailed security requirements • Specialized training - Each user role has unique security responsibilities • Also applies to third-parties - Contractors, partners, suppliers • Detailed documentation and records - Problems later can be severe for everyone
Risk Management Types - Multi-party risk
• Breaches involving multiple parties - Often trusted business relationships - Events often involve many different parties • May 2019 - American Medical Collection Agency - Provided debt collection for many different organizations - Data breach disclosed personal information on 24 million individuals - Twenty-three healthcare organizations affected by this single breach - A single breach can cause a ripple effect
Personnel Security - On-boarding
• Bring a new person into the organization - New hires or transfers • IT agreements need to be signed - May be part of the employee handbook or a separate AUP • Create accounts - Associate the user with the proper groups and departments • Provide required IT hardware - Laptops, tablets, etc. - Preconfigured and ready to go
Security Frameworks - Center for Internet Security (CIS)
• Center for Internet Security - Critical Security Controls for - Effective Cyber Defense - CIS CSC • Improve cyber defenses - Twenty key actions (the critical security controls) - Categorized for different organization sizes • Designed for implementation - Written for IT professionals - Includes practical and actionable tasks
Security Regulations and Standards - Compliance
• Compliance - Meeting the standards of laws, policies, and regulations • A healthy catalog of regulations and laws - Across many aspects of business and life - Many are industry-specific or situational • Penalties - Fines, incarceration, loss of employment • Scope - Covers national, territory, or state laws - Domestic and international requirements
Third-party Risk Management - Non-disclosure agreement (NDA)
• Confidentiality agreement between parties - Information in the agreement should not be disclosed • Protects confidential information - Trade secrets - Business activities - Anything else listed in the NDA • Unilateral or bilateral (or multilateral) - On-way NDA or mutual NDA • Formal contract - Signatures are usually required
Privacy and Data Breaches - Information life cycle
• Creation and receipt - Create data internally or receive data from a third-party • Distribution - Records are sorted and stored • Use - Make business decisions, create products and services • Maintenance - Ongoing data retrieval and data transfers • Disposition - Archiving or disposal of data
Data Roles and Responsibilities - Data roles
• Data controller - Manages the purposes and means by which personal data is processed • Data processor - Processes data on behalf of the data controller - Often a third-party or different group • Payroll controller and processor - Payroll department (data controller) defines payroll amounts and timeframes - Payroll company (data processor) processes payroll and stores employee information
Data Roles and Responsibilities - Additional data roles
• Data custodian/steward - Responsible for data accuracy, privacy, and security - Associates sensitivity labels to the data - Ensures compliance with any applicable laws and standards - Manages the access rights to the data - Implements security controls • Data protection officer (DPO) - Responsible for the organization's data privacy - Sets policies, implements processes and procedures
Enhancing privacy - Data masking
• Data obfuscation - Hide some of the original data • Protects PII - And other sensitive data • May only be hidden from view - The data may still be intact in storage - Control the view based on permissions • Many different techniques - Substituting, shuffling, encrypting, masking out, etc.
Business Impact Analysis - Disaster recovery plan (DRP)
• Detailed plan for resuming operations after a disaster - Application, data center, building, campus, region, etc. • Extensive planning prior to the disaster - Backups - Off-site data replication - Cloud alternatives - Remote site • Many third-party options - Physical locations - Recovery services
Credential Policies - Administrator/root accounts
• Elevated access to one or more systems - Super user access • Complete access to the system - Often used to manage hardware, drivers, and software installation • This account should not be used for normal administration - User accounts should be used • Needs to be highly secured - Strong passwords, 2FA - Scheduled password changes
Third-party Risk Management - Product support lifetime
• End of life (EOL) - Manufacturer stops selling a product - May continue supporting the product - Important for security patches and updates • End of service life (EOSL) - Manufacturer stops selling a product - Support is no longer available for the product - No ongoing security patches or updates - May have a premium-cost support option • Technology EOSL is a significant concern - Security patches are part of normal operation
Risk Analysis - Disaster types
• Environmental threats - Tornado, hurricane, earthquake, severe weather • Person-made threats - Human intent, negligence, or error - Arson, crime, civil disorder, fires, riots, etc. • Internal and external - Internal threats are from employees - External threats are from outside the organization
Security Regulations and Standards - GDPR (General Data Protection Regulation)
• European Union regulation - Data protection and privacy for individuals in the EU - Name, address, photo, email address, bank details, posts on social networking websites, medical information, a computer's IP address, etc. • Controls export of personal data - Users can decide where their data goes • Gives individuals control of their personal data - A right to be forgotten • Site privacy policy - Details all of the privacy rights for a user
Third-party Risk Management - Vendors
• Every organization works with vendors - Payroll, customer relationship management, email marketing, travel, raw materials • Important company data is often shared - May be required for cloud-based services • Perform a risk assessment - Categorize risk by vendor and manage the risk • Use contracts for clear understanding - Make sure everyone understands the expectations - Use the contract to enforce a secure environment
Third-party Risk Management - Target credit card breach - November 2013
• Every point of sale terminal infected - A third-party was allowed in through lapses in security policy • A vendor was infected through an email attachment - The vendor didn't have or follow a security policy for their workstations • Target didn't segment the vendor network from the corporate - The attackers jumped from the vendor to the Target network • The corporate network was not segmented from point of sale (POS) terminals - Once on the inside, it was relatively easy to get to your credit card numbers - (110 million card numbers)
Risk Management Types - Risk assessments
• External threats - Outside the organization - Hacker groups, former employees • Internal threats - Employees and partners - Disgruntled employees • Legacy systems - Outdated, older technologies - May not be supported by the manufacturer - May not have security updates - Depending on the age, may not be easily accessible • Intellectual Property (IP) theft - Theft of ideas, inventions, and creative expressions - Human error, hacking, employees with access, etc. - Identify and protect IP - Educate employees and increase security • Software compliance/licensing - Operational risk with too few licenses - Financial risk with budgeting and over-allocated licenses - Legal risk if proper licensing is not followed
Personnel Security - User training
• Gamification - Score points, compete with others, collect badges • Capture the flag (CTF) - Security competition - Hack into a server to steal data (the flag) - Can involve highly technical simulations - A practical learning environment • Phishing simulation - Send simulated phishing emails - Make vishing calls - See which users are susceptible to phishing attacks without being a victim of phishing • Computer-based training (CBT) - Automated pre-built training - May include video, audio, and Q&A - Users all receive the same training experience
Organizational Policies - Asset management
• Identify and track computing assets - Usually an automated process • Respond faster to security problem - You know who, what, and where • Keep an eye on the most valuable assets - Both hardware and data • Track licenses - You know exactly how many you'll need • Verify that all devices are up to date - Security patches, anti-malware signature updates, etc.
Risk Management Types - Risk assessment
• Identify assets that could be affected by an attack - Define the risk associated with each asset - Hardware, customer data, intellectual property • Identify threats - Loss of data, disruption of services, etc. • Determine the risk - High, medium, or low risk • Assess the total risk to the organization - Make future security plans
Managing Data - Data classification
• Identify data types - Personal, public, restricted, etc. - Use and protect data efficiently • Associate governance controls to the classification levels - How the data class should be managed • Data compliance - Laws and regulations regarding certain types of data - GDPR - General Data Protection Regulation
Risk Analysis - Qualitative risk assessment
• Identify significant risk factors - Ask opinions about the significance - Display visually with traffic light grid or similar method
Business Impact Analysis - Mission-essential functions
• If a hurricane blew through, what functions would be essential to the organization? - That's where you start your analysis - These are broad business requirements • What computing systems are required for these mission-essential business functions? - Identify the critical systems
Risk Analysis - Audit risk model
• Inherent risk - Impact + Likelihood - Risk that exists in the absence of controls - Some models include the existing set of controls • Residual risk - Inherent risk + control effectiveness - Risk that exists after controls are considered - Some models base it on including additional controls • Risk appetite - The amount of risk an organization is willing to take
Privacy and Data Breaches - Notification
• Internal escalation process - Breaches are often found by technicians - Provide a process for making those findings known • External escalation process - Know when to ask for assistance from external resources - Security experts can find and stop an active breach • Public notifications and disclosures - Refer to security breach notification laws - All 50 US states, EU, Australia, etc. - Delays might be allowed for criminal investigations
Security Frameworks - ISO/IEC frameworks
• International Organization for Standardization / - International Electrotechnical Commission • ISO/IEC 27001 - Standard for an Information Security Management System (ISMS) • ISO/IEC 27002 - Code of practice for information security controls • ISO/IEC 27701 - Privacy Information Management Systems (PIMS) • ISO 31000 - International standards for risk management practices
Personnel Security - Business policies
• Job rotation - Keep people moving between responsibilities - No one person maintains control for long periods of time • Mandatory vacations - Rotate others through the job - The longer the vacation, the better chance to identify fraud - Especially important in high-security environments • Separation of duties - Split knowledge - No one person has all of the details - Half of a safe combination - Dual control - Two people must be present to perform the business function - Two keys open a safe (or launch a missile) • Clean desk policy - When you leave, nothing is on your desk - Limit the exposure of sensitive data to third-parties
Managing Data - Data retention
• Keep files that change frequently for version control - Files change often - Keep at least a week, perhaps more • Recover from virus infection - Infection may not be identified immediately - May need to retain 30 days of backups • Often legal requirements for data retention - Email storage may be required over years - Some industries must legally store certain data types - Different data types have different storage requirements - Corporate tax information, customer PII, tape backups, etc.
Business Impact Analysis - Impact
• Life - The most important consideration • Property - The risk to buildings and assets • Safety - Some environments are too dangerous to work • Finance - The resulting financial cost • Reputation - An event can cause status or character problems
Enhancing privacy - Anonymization
• Make it impossible to identify individual data from a dataset - Allows for data use without privacy concerns • Many different anonymization techniques - Hashing, masking, etc. • Convert from detailed customer purchase data - Remove name, address, change phone number to ### ### #### - Keep product name, quantity, total, and sale date • Anonymization cannot be reversed - No way to associate the data to a user
Security Controls - Control categories
• Managerial controls - Controls that address security design and implementation - Security policies, standard operating procedures • Operational controls - Controls that are implemented by people - Security guards, awareness programs • Technical controls - Controls implemented using systems - Operating system controls - Firewalls, anti-virus
Secure Configurations - Operating system hardening
• Many and varied - Windows, Linux, iOS, Android, et al. • Updates - Operating system updates/service packs, security patches • User accounts - Minimum password lengths and complexity - Account limitations • Network access and security - Limit network access • Monitor and secure - Anti-virus, anti-malware
Risk Analysis - Regulations that affect risk posture
• Many of them - Regulations tend to regulate • Regulations directly associated to cybersecurity - Protection of personal information, disclosure of information breaches - Requires a minimum level of information security • HIPAA - Health Insurance Portability and Accountability Act - Privacy of patient records - New storage requirements, network security, protect against threats • GDPR - General Data Protection Regulation - European Union data protection and privacy - Personal data must be protected and managed for privacy
Enhancing privacy - Data minimization
• Minimal data collection - Only collect and retain necessary data • Included in many regulations - HIPAA has a "Minimum Necessary" rule - GDPR - "Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed." • Some information may not be required - Do you need a telephone number or address? • Internal data use should be limited - Only access data required for the task
Third-party Risk Management - Business partners
• Much closer to your data than a vendor - May require direct access - May be a larger security concern than an outside hacker • Often involves communication over a trusted connection - More difficult to identify malicious activity • Partner risk management should be included - Requirements for best practices, data handling, intellectual property • Include additional security between partners - Firewalls and traffic filters
Personnel Security - Personnel security procedures
• NDA (Non-disclosure agreement) - Confidentiality agreement / Legal contract - Prevents the use and dissemination of confidential information • Social media analysis - Gather data from social media - Facebook, Twitter, LinkedIn, Instagram - Build a personal profile - Another data point when making a hiring decision
Security Frameworks - NIST CSF
• National Institute of Standards and Technology - Cybersecurity Framework (CSF) - A voluntary commercial framework • Framework Core - Identify, Protect, Detect, Respond, and Recover • Framework Implementation Tiers - An organization's view of cybersecurity risk and processes to manage the risk • Framework Profile - The alignment of standards, guidelines, and practices to the Framework Core
Security Frameworks - NIST RMF
• National Institute of Standards and Technology - Risk Management Framework (RMF) - Mandatory for US federal agencies and organizations that handle federal data • Six step process - Step 1: Categorize - Define the environment - Step 2: Select - Pick appropriate controls - Step 3: Implement - Define proper implementation - Step 4: Assess - Determine if controls are working - Step 5: Authorize - Make a decision to authorize a system - Step 6: Monitor - Check for ongoing compliance
Secure Configurations
• No system is secure with the default configurations - You need some guidelines to keep everything safe • Hardening guides are specific to the software or platform - Get feedback from the manufacturer or Internet interest group - They'll have the best details • Other general-purpose guides are available online
Data Classifications - Labeling sensitive data
• Not all data has the same level of sensitivity - License tag numbers vs. health records • Different levels require different security and handling - Additional permissions - A different process to view - Restricted network access
Security Controls - Control types
• Preventive - Physically control access - Door lock - Security guard - Firewall • Detective - May not prevent access - Identifies and records any intrusion attempt - Motion detector, IDS/IPS • Corrective - Designed to mitigate damage - IPS can block an attacker - Backups can mitigate a ransomware infection - A backup site can provide options when a storm hits • Deterrent - May not directly prevent access - Discourages an intrusion attempt - Warning signs, login banner • Compensating - Doesn't prevent an attack - Restores using other means - Re-image or restore from backup - Hot site - Backup power system • Physical - Fences, locks, mantraps - Real-world security
Data Classifications - Data classifications
• Proprietary - Data that is the property of an organization - May also include trade secrets - Often data unique to an organization • PII - Personally Identifiable Information - Data that can be used to identify an individual - Name, date of birth, mother's maiden name, biometric information • PHI - Protected Health Information - Health information associated with an individual - Health status, health care records, payments for health care, and much more • Public / Unclassified - No restrictions on viewing the data • Private / Classified / Restricted / Internal use only - Restricted access, may require a non-disclosure agreement (NDA) • Sensitive - Intellectual property, PII, PHI • Confidential - Very sensitive, must be approved to view • Critical - Data should always be available • Financial information - Internal company financial information - Customer financial details • Government data - Open data - Transfer between government entities - May be protected by law • Customer data - Data associated with customers - May include user-specific details - Legal handling requirements
Enhancing privacy - Pseudo-anonymization
• Pseudonymization - Replace personal information with pseudonyms - Often used to maintain statistical relationships • May be reversible - Hide the personal data for daily use or in case of breach - Convert it back for other processes • Random replacement - James Messer -> Jack O'Neill -> Sam Carter -> Daniel Jackson • Consistent replacements - James Messer is always converted to George Hammond
Business Impact Analysis - Functional recovery plans
• Recover from an outage - Step-by-step guide • Contact information - Someone is on-call - Keep everyone up to date • Technical process - Reference the knowledge base - Follow the internal processes • Recover and test - Confirm normal operation
Business Impact Analysis - Recovery
• Recovery time objective (RTO) - Get up and running quickly - Get back to a particular service level • Recovery point objective (RPO) - How much data loss is acceptable? - Bring the system back online; how far back does data go? • Mean time to repair (MTTR) - Time required to fix the issue • Mean time between failures (MTBF) - Predict the time between outages
Enhancing privacy - Tokenization
• Replace sensitive data with a non-sensitive placeholder - SSN 266-12-1112 is now 691-61-8539 • Common with credit card processing - Use a temporary token during payment - An attacker capturing the card numbers can't use them later • This isn't encryption or hashing - The original data and token aren't mathematically related - No encryption overhead
Privacy and Data Breaches - Consequences
• Reputation damage - Opinion of the organization becomes negative - Can have an impact on products or services - Can impact stock price • Identity theft - Company and/or customers information becomes public - May require public disclosure - Credit monitoring costs • Fines - Uber - Data breach in 2016 wasn't disclosed - Uber paid the hackers $100,000 instead - Lawsuit settlement was $148 million • Equifax - 2017 data breach - Government fines were approximately $700 million • Intellectual Property (IP) theft - Stealing company secrets - Can put an organization out of business
Risk Analysis - Evaluating risk
• Risk register - Every project has a plan, but also has risk - Identify and document the risk associated with each step - Apply possible solutions to the identified risks - Monitor the results • Risk matrix / risk heat map - View the results of the risk assessment - Visually identify risk based on color - Combines the likelihood of an event with the potential impact - Assists with making strategic decisions
Managing Data - Data governance
• Rules, processes, and accountability associated with an organization's data - Data is used in the right ways • Data steward - Manages the governance processes - Responsible for data accuracy, privacy, and security - Associates sensitivity labels to the data - Ensures compliance with any applicable laws and standards • Formal rules for data - Everyone must know and follow the processes
Security Frameworks
• Secure your data. - Where do you start? What are the best practices? - If only there was a book. • Often a complex problem - Unique organizational requirements - Compliance and regulatory requirements - Many different processes and tools are available • Use a security framework - Documented processes - A guide for creating a security program - Define tasks and prioritize projects
Security Frameworks - Cloud Security Alliance (CSA)
• Security in cloud computing - Not-for-profit organization • Cloud Controls Matrix (CCM) - Cloud-specific security controls - Controls are mapped to standards, best practices, and regulations • Enterprise Architecture - Methodology and tools - Assess internal IT groups and cloud providers - Determine security capabilities - Build a roadmap
Security Controls
• Security risks are out there - Many different types to consider • Assets are also varied - Data, physical property, computer systems • Prevent security events, minimize the impact, and limit the damage - Security controls
Third-party Risk Management - Common agreements
• Service Level Agreement (SLA) - Minimum terms for services provided - Uptime, response time agreement, etc. - Commonly used between customers and service providers • Memorandum of Understanding (MOU) - Both sides agree on the contents of the memorandum - Usually includes statements of confidentiality - Informal letter of intent; not a signed contract • Measurement system analysis (MSA) - Don't make decisions based on incorrect data! - Used with quality management systems, i.e., Six Sigma - Assess the measurement process - Calculate measurement uncertainty • Business Partnership Agreement (BPA) - Going into business together - Owner stake - Financial contract - Decision-making agreements - Prepare for contingencies
Credential Policies - Service accounts
• Used exclusively by services running on a computer - No interactive/user access (ideally) - Web server, database server, etc. • Access can be defined for a specific service - Web server rights and permissions will be different than a database server • Commonly use usernames and passwords - You'll need to determine the best policy for password updates
Personnel Security - Acceptable use policies (AUP)
• What is acceptable use of company assets? - Detailed documentation - May be documented in the Rules of Behavior • Covers many topics - Internet use, telephones, computers, mobile devices, etc. • Used by an organization to limit legal liability - If someone is dismissed, these are the well documented reasons why